1FAPOLICYD.RULES:(7) System Administration Utilities FAPOLICYD.RULES:(7)
2
3
4
6 fapolicyd.rules - fapolicyd rules to determine access rights
7
9 fapolicyd.rules is a file that contains the rules that fapolicyd uses
10 to make decisions about access rights. The rules follow a simple format
11 of:
12
13 access subject object
14
15 They are evaluated from top to bottom with the first rule to match
16 being used for the access control decision.
17
18
19 Access
20 The decision is either allow, deny, allow_audit, or deny_audit. If the
21 rule triggers, this is the access decision that fapolicyd will tell the
22 kernel. If the decision is one of the audit variety, then the decision
23 will trigger a FANOTIFY audit event with all relevant information.
24
25
26 Subject
27 The subject is the process that is performing actions on system
28 resources. The fields in the rule that describe the subject are written
29 in a name=value format.i There can be one or more subject fields. Each
30 field is and'ed with others to decide if a rule triggers. The name can
31 be any of the following:
32
33
34 all This matches against any subject. When used, this
35 must be the only subject in the rule.
36
37 auid This is the numeric login uid that the audit system
38 assigns users when they log in to the system. Dae‐
39 mons have a value of -1.
40
41 uid This is the numeric user id that the program is run‐
42 ning under.
43
44 sessionid This is the numeric session id that the audit system
45 assigns to users when they log in. Daemons have a
46 value of -1.
47
48 pid This is the numeric process id that a program has.
49
50 comm This is the shortened command name. When an inter‐
51 preter starts a program, it usually renames the pro‐
52 gram to the script rather than the interpreter.
53
54 exe This is the full path to the executable. Globbing is
55 not supported. You may also use the special keyword
56 untrusted to match on the subject not being listed
57 in the rpm database.
58
59 exe_dir If you wish to match a directory, then use this by
60 giving the full path to the directory. Its recom‐
61 mended to end with the / to ensure it matches a
62 directory. There are 3 keywords that exe_dir sup‐
63 ports: execdirs, systemdirs, untrusted.
64
65 execdirs The execdirs option will match against
66 the following list of directories:
67
68 /usr/ /bin/ /sbin/ /lib/ /lib64/
69 /usr/libexec/
70
71 systemdirs The execdirs option will match against
72 the same list as execdirs but also
73 includes /etc/.
74
75 untrusted The untrusted option will look up the
76 current executable's full path in the
77 rpm database to see if the executable is
78 known to the system. The rule will trig‐
79 ger if the file in question is not pack‐
80 aged.
81
82 exe_type This option takes the mime type of a file as an
83 argument. If you wish to check the mime type of a
84 file while writing rules, run the following command:
85
86 file --mime-type /path-to-file
87
88
89 exe_device This option will match against the device that the
90 executable resides on. To use it, start with /dev/
91 and add the target device name.
92
93
94 pattern There are various ways that an attacker may try to
95 execute code that may reveal itself in the pattern
96 of file accesses made during program startup. This
97 rule can take one of several options depending on
98 which access patterns is wished to be blocked.
99 Fapolicyd is able to detect these different access
100 patterns and provide the access decision as soon as
101 it identifies the pattern. The pattern type can be
102 any of:
103
104
105 normal This matches against any ELF program
106 that is dynamically linked.
107
108 bad_interpreter
109 This matches against access patterns
110 that indicate that the defaul ELF inter‐
111 preter is not being used.
112
113 ld_so This matches against access patterns
114 that indicate that the program is being
115 started directly by the runtime linker.
116
117
118
119 Object
120 The object is the file that the subject is interacting with. The fields
121 in the rule that describe the object are written in a name=value for‐
122 mat. There can be one or more object fields. Each field is and'ed with
123 others to decide if a rule triggers. The name can be any of the follow‐
124 ing:
125
126
127 all This matches against any subject. When used, this
128 must be the only subject in the rule.
129
130 path This is the full path to the file that will be
131 accessed. Globbing is not supported. You may also
132 use the special keyword untrusted to match on the
133 subject not being listed in the rpm database.
134
135 dir If you wish to match on access to any file in a
136 directory, then use this by giving the full path to
137 the directory. Its recommended to end with the / to
138 ensure it matches a directory. There are 3 keywords
139 that exe_dir supports: execdirs, systemdirs,
140 untrusted. See the exe_dir for an explanation of
141 these keywords.
142
143 device This option will match against the device that the
144 file being accessed resides on. To use it, start
145 with /dev/ and add the target device name.
146
147 ftype This option matches against the mime type of the
148 file being accessed. See exe_type for more informa‐
149 tion on determining the mime type.
150
151 sha256hash This option matches against the sha256 hash of the
152 file being accessed.
153
154
156 The following rules show how rules may look.
157
158 deny_audit exe=/usr/bin/wget dir=/tmp
159 allow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-python
160 deny_audit pattern ld_so all
161 deny all all
162
163
165 fapolicyd(8) and fapolicyd.conf(5)
166
167
169 Steve Grubb
170
171
172
173Red Hat May 2016 FAPOLICYD.RULES:(7)